From: Pablo Neira <pablo@eurodev.net>
To: Krzysztof Oledzki <olenf@ans.pl>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: Unable to handle kernel NULL pointer dereference at virtual address 00000000 after conntrack -I
Date: Sun, 06 Nov 2005 03:57:42 +0100 [thread overview]
Message-ID: <436D7126.9050900@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.63.0511060256410.29836@bizon.gios.gov.pl>
Krzysztof Oledzki wrote:
> [NETFILTER] Check for ICMP_ID in icmp_nfattr_to_tuple
>
> This patch fixes an userspace triggered oops. If there is no ICMP_ID
> info the reference to attr will be NULL.
>
> Signed-out-by: Krzysztof Piotr Oledzki <ole@ans.pl>
>
> --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-11-06
> 02:17:29.000000000 +0100
> +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-11-06
> 02:18:45.000000000 +0100
> @@ -296,7 +296,8 @@
> struct ip_conntrack_tuple *tuple)
> {
> if (!tb[CTA_PROTO_ICMP_TYPE-1]
> - || !tb[CTA_PROTO_ICMP_CODE-1])
> + || !tb[CTA_PROTO_ICMP_CODE-1]
> + || !tb[CTA_PROTO_ICMP_ID-1])
> return -1;
>
> tuple->dst.u.icmp.type =
>
> Anyway, libnetfilter_conntrack_icmp.c should also be fixed. Currently
> ICMP_ID is not addedd if TYPE is not 8 (ICMP ECHO). I beleve we should
> simply skip this check (libnetfilter_conntrack_icmp-icmpid.patch):
The patch looks fine. I'll pass this patch to Harald, I don't want to
get it lost.
> Index: extensions/libnetfilter_conntrack_icmp.c
> ===================================================================
> --- extensions/libnetfilter_conntrack_icmp.c (revision 4480)
> +++ extensions/libnetfilter_conntrack_icmp.c (working copy)
> @@ -38,10 +38,12 @@
> &t->l4dst.icmp.code, sizeof(u_int8_t));
> nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_TYPE,
> &t->l4dst.icmp.type, sizeof(u_int8_t));
> - /* This is an ICMP echo */
> - if (t->l4dst.icmp.type == 8)
> - nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_ID,
> - &t->l4src.icmp.id, sizeof(u_int16_t));
> +
> + /* The ID only makes sense for type=8 (ECHO) but we always
> + * want to set it or else kernel will reject such messages.
> + */
I removed this comment, I inserted by myself and it's bogus. The ID
makes sense for *some* ICMP messages, not just for type=8.
> + nfnl_addattr_l(&req->nlh, size, CTA_PROTO_ICMP_ID,
> + &t->l4src.icmp.id, sizeof(u_int16_t));
> }
>
I'm going to apply it now. Thanks.
--
Pablo
prev parent reply other threads:[~2005-11-06 2:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-03 13:14 Unable to handle kernel NULL pointer dereference at virtual address 00000000 after conntrack -I Krzysztof Oledzki
2005-11-03 19:55 ` Pablo Neira
2005-11-03 20:23 ` Krzysztof Oledzki
2005-11-04 18:12 ` Pablo Neira
2005-11-06 0:05 ` Krzysztof Oledzki
2005-11-06 2:30 ` Krzysztof Oledzki
2005-11-06 2:57 ` Pablo Neira [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=436D7126.9050900@eurodev.net \
--to=pablo@eurodev.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=olenf@ans.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.